Vulnerabilities > CVE-2006-4447 - Local Privilege Escalation vulnerability in Multiple X.Org Products SetUID
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
X.Org and XFree86, including libX11, xdm, xf86dga, xinit, xload, xtrans, and xterm, does not check the return values for setuid and seteuid calls when attempting to drop privileges, which might allow local users to gain privileges by causing those calls to fail, such as by exceeding a ulimit.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 14 |
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200704-22.NASL description The remote host is affected by the vulnerability described in GLSA-200704-22 (BEAST: Denial of Service) BEAST, which is installed as setuid root, fails to properly check whether it can drop privileges accordingly if seteuid() fails due to a user exceeding assigned resource limits. Impact : A local user could exceed his resource limit in order to prevent the seteuid() call from succeeding. This may lead BEAST to keep running with root privileges. Then, the local user could use the last seen 2020-06-01 modified 2020-06-02 plugin id 25110 published 2007-04-30 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/25110 title GLSA-200704-22 : BEAST: Denial of Service code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200704-22. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(25110); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:44"); script_cve_id("CVE-2006-2916", "CVE-2006-4447"); script_xref(name:"GLSA", value:"200704-22"); script_name(english:"GLSA-200704-22 : BEAST: Denial of Service"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200704-22 (BEAST: Denial of Service) BEAST, which is installed as setuid root, fails to properly check whether it can drop privileges accordingly if seteuid() fails due to a user exceeding assigned resource limits. Impact : A local user could exceed his resource limit in order to prevent the seteuid() call from succeeding. This may lead BEAST to keep running with root privileges. Then, the local user could use the 'save as' dialog box to overwrite any file on the vulnerable system, potentially leading to a Denial of Service. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200704-22" ); script_set_attribute( attribute:"solution", value: "All BEAST users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=media-sound/beast-0.7.1'" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:beast"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2007/04/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/04/30"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/06/14"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"media-sound/beast", unaffected:make_list("ge 0.7.1"), vulnerable:make_list("lt 0.7.1"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "BEAST"); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200608-25.NASL description The remote host is affected by the vulnerability described in GLSA-200608-25 (X.org and some X.org libraries: Local privilege escalations) Several X.org libraries and X.org itself contain system calls to set*uid() functions, without checking their result. Impact : Local users could deliberately exceed their assigned resource limits and elevate their privileges after an unsuccessful set*uid() system call. This requires resource limits to be enabled on the machine. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 22287 published 2006-08-30 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22287 title GLSA-200608-25 : X.org and some X.org libraries: Local privilege escalations code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200608-25. # # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(22287); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:43"); script_cve_id("CVE-2006-4447"); script_xref(name:"GLSA", value:"200608-25"); script_name(english:"GLSA-200608-25 : X.org and some X.org libraries: Local privilege escalations"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200608-25 (X.org and some X.org libraries: Local privilege escalations) Several X.org libraries and X.org itself contain system calls to set*uid() functions, without checking their result. Impact : Local users could deliberately exceed their assigned resource limits and elevate their privileges after an unsuccessful set*uid() system call. This requires resource limits to be enabled on the machine. Workaround : There is no known workaround at this time." ); # http://lists.freedesktop.org/archives/xorg/2006-June/016146.html script_set_attribute( attribute:"see_also", value:"https://lists.freedesktop.org/archives/xorg/2006-June/016146.html" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200608-25" ); script_set_attribute( attribute:"solution", value: "All X.Org xdm users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=x11-apps/xdm-1.0.4-r1' All X.Org xinit users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=x11-apps/xinit-1.0.2-r6' All X.Org xload users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=x11-apps/xload-1.0.1-r1' All X.Org xf86dga users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=x11-apps/xf86dga-1.0.1-r1' All X.Org users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=x11-base/xorg-x11-6.9.0-r2' All X.Org X servers users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=x11-base/xorg-server-1.1.0-r1' All X.Org X11 library users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=x11-libs/libx11-1.0.1-r1' All X.Org xtrans library users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=x11-libs/xtrans-1.0.1-r1' All xterm users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=x11-terms/xterm-215' All users of the X11R6 libraries for emulation of 32bit x86 on amd64 should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=app-emulation/emul-linux-x86-xlibs-7.0-r2' Please note that the fixed packages have been available for most architectures since June 30th but the GLSA release was held up waiting for the remaining architectures." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:emul-linux-x86-xlibs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:libx11"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:xdm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:xf86dga"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:xinit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:xload"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:xorg-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:xorg-x11"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:xterm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:xtrans"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2006/08/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/08/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list", "Host/Gentoo/arch"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/Gentoo/arch"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); flag = 0; if (qpkg_check(package:"x11-base/xorg-server", unaffected:make_list("rge 1.0.2-r6", "ge 1.1.0-r1"), vulnerable:make_list("lt 1.1.0-r1"))) flag++; if (qpkg_check(package:"x11-apps/xf86dga", unaffected:make_list("ge 1.0.1-r1"), vulnerable:make_list("lt 1.0.1-r1"))) flag++; if (qpkg_check(package:"x11-apps/xinit", unaffected:make_list("ge 1.0.2-r6"), vulnerable:make_list("lt 1.0.2-r6"))) flag++; if (qpkg_check(package:"x11-apps/xdm", unaffected:make_list("ge 1.0.4-r1"), vulnerable:make_list("lt 1.0.4-r1"))) flag++; if (qpkg_check(package:"x11-libs/xtrans", unaffected:make_list("ge 1.0.0-r1"), vulnerable:make_list("lt 1.0.0-r1"))) flag++; if (qpkg_check(package:"x11-terms/xterm", unaffected:make_list("ge 215"), vulnerable:make_list("lt 215"))) flag++; if (qpkg_check(package:"x11-libs/libx11", unaffected:make_list("ge 1.0.1-r1"), vulnerable:make_list("lt 1.0.1-r1"))) flag++; if (qpkg_check(package:"x11-apps/xload", unaffected:make_list("ge 1.0.1-r1"), vulnerable:make_list("lt 1.0.1-r1"))) flag++; if (qpkg_check(package:"app-emulation/emul-linux-x86-xlibs", arch:"amd64", unaffected:make_list("ge 7.0-r2"), vulnerable:make_list("lt 7.0-r2"))) flag++; if (qpkg_check(package:"x11-base/xorg-x11", unaffected:make_list("rge 6.8.2-r8", "ge 6.9.0-r2"), vulnerable:make_list("lt 6.9.0-r2"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "X.org and some X.org libraries"); }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-160.NASL description X.Org and XFree86, including libX11, xdm, xf86dga, xinit, xload, xtrans, and xterm, does not check the return values for setuid and seteuid calls when attempting to drop privileges, which might allow local users to gain privileges by causing those calls to fail, such as by exceeding a ulimit. In practice, it is unlikely that these programs have any real-world vulnerability. The X binary is the only one shipped suid. Further analysis of the code in question shows that it last seen 2020-06-01 modified 2020-06-02 plugin id 23904 published 2006-12-16 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23904 title Mandrake Linux Security Advisory : xorg-x11 (MDKSA-2006:160) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1193.NASL description Several vulnerabilities have been discovered in the X Window System, which may lead to the execution of arbitrary code or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-3467 Chris Evan discovered an integer overflow in the code to handle PCF fonts, which might lead to denial of service if a malformed font is opened. - CVE-2006-3739 It was discovered that an integer overflow in the code to handle Adobe Font Metrics might lead to the execution of arbitrary code. - CVE-2006-3740 It was discovered that an integer overflow in the code to handle CMap and CIDFont font data might lead to the execution of arbitrary code. - CVE-2006-4447 The XFree86 initialization code performs insufficient checking of the return value of setuid() when dropping privileges, which might lead to local privilege escalation. last seen 2020-06-01 modified 2020-06-02 plugin id 22734 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22734 title Debian DSA-1193-1 : xfree86 - several vulnerabilities
Statements
| contributor | Mark J Cox |
| lastmodified | 2006-09-12 |
| organization | Red Hat |
| statement | Not Vulnerable. This issue does not exist in Red Hat Enterprise Linux 2.1 or 3. This issue not exploitable in Red Hat Enterprise Linux 4. A detailed analysis of this issue can be found in the Red Hat Bug Tracking System: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=195555 |
References
- http://lists.freedesktop.org/archives/xorg/2006-June/016146.html
- http://mail.gnome.org/archives/beast/2006-December/msg00025.html
- http://secunia.com/advisories/21650
- http://secunia.com/advisories/21660
- http://secunia.com/advisories/21693
- http://secunia.com/advisories/22332
- http://secunia.com/advisories/25032
- http://secunia.com/advisories/25059
- http://security.gentoo.org/glsa/glsa-200608-25.xml
- http://security.gentoo.org/glsa/glsa-200704-22.xml
- http://www.debian.org/security/2006/dsa-1193
- http://www.kb.cert.org/vuls/id/300368
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:160
- http://www.securityfocus.com/bid/19742
- http://www.securityfocus.com/bid/23697
- http://www.vupen.com/english/advisories/2006/3409
- http://www.vupen.com/english/advisories/2007/0409